What is netbios? NetBIOS is a service that provides network connectivity and is often used to join a domain and legacy applications. This is a rather old technology, but it is still used in some software environments. And since this is an unprotected protocol, quite often it can be the starting point for an attack on a network. A good start would be to scan NetBIOS shares using the NBTScan and Nmap Script Engine.
To accomplish this task, we will use our target machine as Metasploitable 2– a virtual machine with vulnerabilities intentionally created in it. We will attack it with Kali Linux, a distribution for hackers and pentesters.
What is netbios?
NetBIOS literally means “Basic Network Input / Output System”. It is a service that allows computers to communicate with each other over a network. However, NetBIOS is not a network protocol, but an API. It works on top of TCP / IP protocols using the NBT protocol, which allows it to work in modern networks.
NetBIOS provides two basic methods of communication. The datagram service allows you to communicate over a network without establishing a connection, which is ideal for situations where fast data transfer is important, for example, when generating errors. Session service, on the other hand, allows two computers to establish a connection to provide more reliable communication. NetBIOS also provides name services that deal with name resolution and network registration.
The main method of exploiting NetBIOS hackers is poisoning attacks. Their essence lies in the fact that the attacker being in the network, disguised as another machine in order to control and redirect traffic. At this stage, the hacker can also obtain the hashed user credentials in order to subsequently crack them.
How to use nbtscan
NBTScan is a command line tool used to scan networks for NetBIOS shared resources and name information. It can work in both Unix and Windows and is included in the standard Kali Linux distribution by default.
The first thing we can do is print out a certificate that will give us an idea of all the uses for it and a few examples for scanning networks. Just type in the terminal nbtscan.
nbtscan
NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and it comes with absolutely no warranty.
You can use, distribute and modify it under terms of GNU GPL.
Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|()
-v verbose output. Print all names received
from each host
-d dump packets. Print whole packet contents.
-e Format output in /etc/hosts format.
-l Format output in lmhosts format.
Cannot be used with -v, -s or -h options.
-t timeout wait timeout milliseconds for response.
Default 1000.
-b bandwidth Output throttling. Slow down output
so that it uses no more that bandwidth bps.
Useful on slow links, so that ougoing queries
don't get dropped.
-r use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix.
-q Suppress banners and error messages,
-s separator Script-friendly output. Don't print
column and record headers, separate fields with separator.
-h Print human-readable names for services.
Can only be used with -v option.
-m retransmits Number of retransmits. Default 0.
-f filename Take IP addresses to scan from file filename.
-f - makes nbtscan take IP addresses from stdin.
what to scan. Can either be single IP
like 192.168.1.1 or
range of addresses in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Examples:
nbtscan -r 192.168.1.0/24
Scans the whole C-class network.
nbtscan 192.168.1.25-137
Scans a range from 192.168.1.25 to 192.168.1.137
nbtscan -v -s : 192.168.1.0/24
Scans C-class network. Prints results in script-friendly
format using colon as field separator.
Produces output like that:
192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U
...
nbtscan -f iplist
Scans IP addresses specified in file iplist.
The simplest (and most basic) way to launch this great tool is to give it a range of IP addresses. In our case, there is only one computer on the network, so we will give its IP address as an example.
nbtscan 172.16.1.102
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
172.16.1.102 METASPLOITABLE METASPLOITABLE 00:00:00:00:00:00
Here we see the IP address, the display name of the NetBIOS, the server (if any), the user and the MAC address of the target. Note that machines running Samba sometimes return zero as a MAC address in response to such a request.
We can get a little more information if we set the verbose -v flag.
nbtscan 172.16.1.102 -v
Doing NBT name scan for addresses from 172.16.1.102
NetBIOS Name Table for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Name Service Type
----------------------------------------
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
METASPLOITABLE <00> UNIQUE
METASPLOITABLE <03> UNIQUE
METASPLOITABLE <20> UNIQUE
__MSBROWSE__ <01> GROUP
WORKGROUP <00> GROUP
WORKGROUP <1d> UNIQUE
WORKGROUP <1e> GROUP
WORKGROUP <00> GROUP
WORKGROUP <1d> UNIQUE
WORKGROUP <1e> GROUP
Adapter address: 00:00:00:00:00:00
----------------------------------------
In this case, we see some services and an indication of their type. This jumble brings us to the next use case, which will output services in a readable form. To do this, use the -h flag with the -v flag.
nbtscan 172.16.1.102 -vh
Doing NBT name scan for addresses from 172.16.1.102
NetBIOS Name Table for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Name Service Type
----------------------------------------
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
METASPLOITABLE Workstation Service
METASPLOITABLE Messenger Service
METASPLOITABLE File Server Service
__MSBROWSE__ Master Browser
WORKGROUP Domain Name
WORKGROUP Master Browser
WORKGROUP Browser Service Elections
WORKGROUP Domain Name
WORKGROUP Master Browser
WORKGROUP Browser Service Elections
Adapter address: 00:00:00:00:00:00
----------------------------------------
Now we see a bit more information that may be useful to us. We can also set the -d flag to dump (save) the contents of the entire package.
nbtscan 172.16.1.102 -d
Doing NBT name scan for addresses from 172.16.1.102
Packet dump for Host 172.16.1.102:
Incomplete packet, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name: CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0119 (281)
Number of names: 0x0d (13)
Names received:
METASPLOITABLE Service: 0x00 Flags: 0x0004
METASPLOITABLE Service: 0x03 Flags: 0x0004
METASPLOITABLE Service: 0x20 Flags: 0x0004
METASPLOITABLE Service: 0x00 Flags: 0x0004
METASPLOITABLE Service: 0x03 Flags: 0x0004
METASPLOITABLE Service: 0x20 Flags: 0x0004
__MSBROWSE__ Service: 0x01 Flags: 0x0084
WORKGROUP Service: 0x00 Flags: 0x0084
WORKGROUP Service: 0x1d Flags: 0x0004
WORKGROUP Service: 0x1e Flags: 0x0084
WORKGROUP Service: 0x00 Flags: 0x0084
WORKGROUP Service: 0x1d Flags: 0x0004
WORKGROUP Service: 0x1e Flags: 0x0084
...
This command gives us the packet data that was used in this request. Note that this parameter cannot be used with the -v or -h options.
If you want to scan a list of IP addresses that are written in a file, you can use the -f flag to specify such a file as input and read these IP addresses from it. In our case, there is only one computer on the network, so in the course of our scanning, we only see it alone.
nbtscan -f addresses.txt
Doing NBT name scan for addresses from addresses.txt
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
172.16.1.102 METASPLOITABLE METASPLOITABLE 00:00:00:00:00:00
Conversely, if you want to save the results of any scan, you just need to add the name of the file to which you want to write this data to the end of the command.
nbtscan 172.16.1.102 > scan.txt
Scan Using Nmap Scripting Engine
Nmap, as part of the Nmap scripting engine, has one very handy little script that we can also use to accurately detect NetBIOS shared resources. This method has a slight advantage over the previous one – it can be run with other NSE scripts (Nmap Scripting Engine), which ultimately saves time when displaying many different things on the network.
We will run Nmap in the usual way, and the nbstat script will exit at the end. Here we use the -sV option to check ports, running services and their versions, as well as the -v flag for verbose output. Specify the script that you want to use, and we are ready to go.
nmap -sV 172.16.1.102 --script nbstat.nse -v
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12 CST
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating ARP Ping Scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:12, 13.00s elapsed
Initiating SYN Stealth Scan at 14:12
Scanning 172.16.1.102 [1000 ports]
...
Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown)
| Names:
| METASPLOITABLE<00> Flags:
| METASPLOITABLE<03> Flags:
| METASPLOITABLE<20> Flags:
| \x01\x02__MSBROWSE__\x02<01> Flags:
| WORKGROUP<00> Flags:
| WORKGROUP<1d> Flags:
|_ WORKGROUP<1e> Flags:
Nmap starts and starts the usual scan, and then towards the end we finally see the results of the script. This is similar to the scan results that we performed earlier, but in fact it never hurts to know that there are different ways to perform the same task.
How to prevent scanning of shared NetBIOS resources
Fortunately for all administrators, there is a fairly simple solution to protect against unauthorized scanning of NetBIOS shared resources, namely, simply disabling NetBIOS itself. There are situations when disabling it can lead to malfunctions in the system, for example, when some obsolete applications completely depend on it, but in most cases, instead of these obsolete applications, there are already more advanced solutions and disabling NetBIOS will not harm. If you absolutely need to have NetBIOS, then beware of using default names. In some versions of Windows, C $ or ADMIN $ are well-known names and should be avoided if possible.
Conclusion In this lesson we learned about the NetBIOS service and how it can be used to attack. Using NBTScan, a simple console tool, we scanned and listed shared resources, and then figured out how to use the Nmap script for the same purpose. NetBIOS and obsolete technology maybe, but it is still found in corporate environments. And often, after exploration, its operation can be a good starting point for a start, so it’s helpful to know how it can be identified.
Leave a Reply